Setting Up FTPS To Deal With The "Connectivity_README_2.1_Secure" Document

Document ID : KB000048075
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

IBM statements specify that as of October 19th, 2014, it will NO longer be possible to download IBM s/w and service using FTP.
At that time, ONLY FTPS will be allowed.

Solution:

Here it is a TSS translation of "Connectivity_README_2.1_Secure".

*** Top Of Data ***

Customized Offerings Connectivity Test

You may need to create a new root signing certificate in order to access the secure zone where the test file is located. The following instructions assume you are using CA Top Secret. If you are using an equivalent security product, you should refer to that product's documentation to understand the equivalent actions.

You will need to define the necessary resources in the IBMFAC class to give you access to use the related TSS commands to define/add certificates and define the keyring.

Use of these TSS commands requires appropriate permission to the IRR.DIGTCERT.function resource under the IBMFAC class. In general, READ access is required to manipulate your own certificates and key rings, UPDATE access is required to manipulate them for other users, and CONTROL access is required to manipulate CERTAUTH (certificate authority) certificates. Therefore, you can use the following sample TSS ADD and PERMIT commands to define the necessary resources in the IBMFAC class and to give you access to use the related TSS commands to define/add certificates and define the keyring:

Here are the RACF commands:


RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)   RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)  RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE)      RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)     RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)        RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 

Here are the CA Top Secret equivalents:

TSS ADD(#dept) IBMFAC(IRR.)

Where #dept is an already defined department or you may create a new department or the resource may already be owned in your environment.

Next set of RACF commands:


PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACCESS(READ)             PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACCESS(READ)         PERMIT IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(userid) ACCESS(READ)           PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACCESS(UPDATE)       PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid)ACCESS(READ)             PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)

Next set of TSS commands:


TSS PER(USERID) IBMFAC(IRR.DIGTCERT.ADD)      ACCESS(READ)  TSS PER(USERID) IBMFAC(IRR.DIGTCERT.ADDRING)  ACCESS(READ)      TSS PER(USERID) IBMFAC(IRR.DIGTCERT.ALTER)    ACCESS(READ)      TSS PER(USERID) IBMFAC(IRR.DIGTCERT.CONNECT)  ACCESS(UPDATE)     TSS PER(USERID) IBMFAC(IRR.DIGTCERT.LIST)     ACCESS(READ)      TSS PER(USERID) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)  

Where USERID is your TSO Id or any acid you want to use.

Notes:

  1. UPDATE access is required to the IRR.DIGTCERT.CONNECT profile in the IBMFAC class in order to connect a certificate authority (CA) certificate to your key ring.

  2. To use the SMP/E RECEIVE ORDER command, access is required only to the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles. Access to the other resources is required to create and manipulate key rings and digital certificates.

    When your user ID has the proper authorization you will be able to create the digital certificate.

    To create the certificate,

  1. Download the Root 2 - GeoTrust Global CA (Base-64 encoded x.509) certificate from:
    https://www.geotrust.com/resources/root-certificates/index.html

  2. Allocate a partitioned sequential dataset on your z/OS host to store the certificate. For example, tsouid.GEOTRUST.CERT:
    Organization . . . : PS
    Record format . . . : VB
    Record length . . . : 256
    Block size . . . . : 27998
    Allocated blocks . : 2
    Allocated extents . : 1

  3. Transfer, in ASCII mode, the GeoTrust Global CA certificate to your dataset tsouid.GEOTRUST.CERT.

  4. Add the GeoTrust Global CA certificate to your CA Top Secret database with TRUST
    status:

    Here is the RACF command:

    RACDCERT CERTAUTH ADD('tsouid.GEOTRUST.CERT') HIGHTRUST -
    WITHLABEL('GeoTrust Global CA')

    Here is the TSS command:

    TSS ADD(CERTAUTH) DIGICERT(#cert01) -
    DCDSN('tsouid.GEOTRUST.CERT') HITRUST -
    LABLCERT('GeoTrust Global CA')

  5. Create a key ring in RACF to be used for secure FTP .

    For example, FtpSecur:

    Here is the RACF command:

    RACDCERT ID(tsouid) ADDRING(FtpSecur)

    Here is the TSS command:

    TSS ADD(TSOUID) KEYRING(#keyr) LABLRING(FtpSecur)

    Where TSOUID is your TSO Id or any acid you want to use.
    #keyr is the keyring id for CA Top Secret.

  6. Connect the GeoTrust Global CA certificate to your keyring FtpSecur

    Here is the RACF command:

    RACDCERT ID(tsouid) CONNECT(CERTAUTH LABEL('GeoTrust Global CA') -
    RING(FtpSecur) USAGE(CERTAUTH) DEFAULT)

    Here is the TSS command:

    TSS ADD(TSOUID) KEYRING(#keyr) -
    LABLRING(FtpSecur) -
    RINGDATA(CERTAUTH,#cert01) -
    USAGE(CERTAUTH) -
    DEFAULT

  7. Refresh the RACListed profiles.

    Here is the RACF command:

    SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH

    There isn't a CA Top Secret equivalent of this RACF command.

  8. Update your tsouid.FTP.DATA dataset to point to the new keyring:

    KEYRING FtpSecur

  9. You will need to have the SSL Security Level 3 FMIDinstalled on your driving system in order to successfully complete the SSL handshake.

*** End Of Data ****

In addition to the above, you must check your IP ports! You must enable them for FTPS to work correctly.
For this topic, they are usually ports 989 and 990.